Fortinet’s FortiGuard Labs’ Ransomware Roundup highlights two notable variants, Sirattacker and ALC, detailing their execution methods, ransom notes, and observed activity, including Bitcoin wallet interactions associated with the Sirattacker actor. The report also shares Fortinet protections, best practices, and guidance on preventing and responding to these threats. #Sirattacker #ALC #ChaosRansomware #FortiGuardLabs
Keypoints
- FortiGuard Labs’ Ransomware Roundup covers Sirattacker and ALC ransomware variants focusing on Microsoft Windows.
- Sirattacker is a Chaos ransomware variant first released in February 2023 and is linked to Chaos ransomware builders available on Dark Web networks.
- Sirattacker is likely distributed as an Ethereum mining app, evidenced by samples with an Ethereum icon and filenames like “ETH [###].exe”.
- Sirattacker encrypts files, adds random four-letter extensions, shows a ransom note on the Command Prompt, and replaces the desktop wallpaper with a message asking victims to contact the attacker by email; Bitcoin wallet activity is noted.
- ALC ransomware presents a Russia-oriented ransom note, creates desktop files, and uses AlcDif.exe on some samples to display a full-screen ransom screen and toggle the Task Manager.
- Fortinet provides protections (AV signatures) and guidance on backups, phishing training, and security architectures (EDR, Zero Trust, SASE) to mitigate ransomware risk.
MITRE Techniques
- [T1036] Masquerading – Sirattacker samples appear as Ethereum mining apps due to the Ethereum file icon, suggesting deception in distribution. – “…samples include an Ethereum file icon…”
- [T1486] Data Encrypted for Impact – Sirattacker encrypts files on the victim’s machine and adds random four-letter extensions to filenames. – “…encrypts files on the victim’s machine and adds random four-letter file extensions to their filenames.”
- [T1059.003] Command and Scripting Interpreter – Ransomware displays a ransom note on the Command Prompt after encryption. – “Once files are encrypted, Sirattacker displays a ransom note on the Command Prompt.”
- [T1562.001] Impair Defenses – AlcDif.exe toggles Task Manager and can disable it on first run to hinder defense monitoring. – “The program also “toggles” Task Manager. Task Manager gets disabled when the program is run for the first time.”
- [T1083] File and Directory Discovery – ALC enumerates files on the victim machine and saves a list per drive. – “enumerates files on the compromised machine, and saves a list of those files in a separate text file for each drive found.”
- [T1036] Masquerading – Sirattacker masquerades as a crypto/mining app to avoid immediate suspicion. – “distributed as an Ethereum mining app because all samples include an Ethereum file icon…”
- [T1566] Phishing – Fortinet notes ransomware is often delivered via phishing; implies phishing as a delivery vector. – “majority of ransomware is delivered via phishing”
Indicators of Compromise
- [File-based IOCs] – Sirattacker and ALC related file hashes – a80908bcd96a8df6070eb9a9c83739c8d95c34d7d81b890bacda91bb05c53267, BBC6a34b48a4c71a4d9c2ae2d8c975f3b6caf2e17b86057ccbcb6686d1d5a642, and 11 more hashes
- [File-based IOCs] – Additional hashes associated with Sirattacker/ALC variants – (see table below for full list in source article)
Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-sirattacker-acl